Well since my first blog post I have been extremely busy getting Secure Technology Partners up and going. It is quite an undertaking!
I finally have a presence on the web: www.securetechfl.com. This will change to securetechUS.com shortly but we have not made the switch yet. I have the agreements in place for StillSecure and hopefully have BigFix done by the end of next week.
I am pulling the pieces together for the web-site and now have a new VP of Marketing!! Welcome, Jessica Cox! Jess has many years of experience in the marketing and advertising industries. She will be helping to design the web-site and getting the word out about Secure Technology Partners. Jess is also involved with the Conscience Youth Media Crew, (CYMC) a San Francisco based non-profit that helps children develop marketable skills for the film industry. It is quite an amazing job they are doing, taking at risk children and teaching them skills that they can then use to get jobs! What a concept!
Alan Shimel, author of StillSecureafteralltheeseyears, gave me a nice "Shout Out" in his blog on Wednesday. Thank you Alan! I need all the help I can get so if you have any suggestions or advice, please pass it on.
I hope that we will have more report on next week.
Adios!!
Friday, February 27, 2009
Thursday, February 26, 2009
NAC - What to do with it?
I saw a post on my FaceBook last night by Jennifer Jabbusch who writes Security Uncorked. Jennifer is one of the leading industry experts on Network Access Control (NAC). She was making a call out for people to participate in the survery for Information Week's Mike Fratto: "Is NAC Hot, Or Not". While going through the survery questions, it brough many thoughts to mind regarding the success or lack of success NAC has seen in IT adoption rates.
While at StillSecure, I was pretty emmersed in it. I got to understand NAC pretty well, but most importantly, the true benefits it brings to the business world. Most people view NAC as the "BIG STICK" that will protect their network from unwanted guests and provide the "BUTTON" to cast people off their network who do not comply with the current security policy.
While NAC can be all those things and more, that is not where the true benefit lies. First, and formost, your NAC solution should provide you with a tool to test your end points and evaluate how "Out of Compliance", your end points are. This is probably the most important aspect of a "True" NAC solution, to provide visibility into the end point. Most organizations, have implemented an "Acceptable Use Policy"; however, most have not defined an acceptable user application profile or do not enforce it because they have no means of doing so.
Visibility into the end point is the most important feature of NAC, and the second most valuable feature is the ability to act on the end point should it be in a critical state that might compromise your network.
If you think about it, what was the last cool application that took off like wild fire? Did you know who was using it? What is the most proliferate application not considered or part of the "approved list"? Can you answer those questions? What if a vulnerability came out for iTunes? Would you know who was using iTunes, and had the latest patch to address the vulnerability? For those that were not patched could you act on them to isolate them from your network?
This is an example of the visibility and control you should have over your end points. Not from that standpoint that you are now the traffic cop and will be able to knock whoever you wish off your network whenever you feel like flexing your muscle, but by giving you the status of your network, you can then provide the education to the users where you see shortcomings and work on getting your environment into compliance. You can better understand your security practce and fill in the gaps for your shortcomings. NAC will allow you to know how effective your antivirus updates are in reaching your endpoints, how many people have not patched with the last MS updates, and of course many other ways to profile your IT infrastructure.
This is where the value lies. Of course after you get everyone into posture, you can then take action if necessary, but only after you truly understand what is going on in your environment.
If you are interested in knowing more about your endpoints, StillSecure has a free version of Safe Access that will test up to 250 users called "Safe Access Lite". It goes in simply and will give you a very quick idea of what your end points really look like. BigFix is another solution that will do this for you, but you will have to contact them for a trial.
I could go on and on regarding NAC, however I think the starting point is to understand what value it has to your environment.
Stay tuned!
While at StillSecure, I was pretty emmersed in it. I got to understand NAC pretty well, but most importantly, the true benefits it brings to the business world. Most people view NAC as the "BIG STICK" that will protect their network from unwanted guests and provide the "BUTTON" to cast people off their network who do not comply with the current security policy.
While NAC can be all those things and more, that is not where the true benefit lies. First, and formost, your NAC solution should provide you with a tool to test your end points and evaluate how "Out of Compliance", your end points are. This is probably the most important aspect of a "True" NAC solution, to provide visibility into the end point. Most organizations, have implemented an "Acceptable Use Policy"; however, most have not defined an acceptable user application profile or do not enforce it because they have no means of doing so.
Visibility into the end point is the most important feature of NAC, and the second most valuable feature is the ability to act on the end point should it be in a critical state that might compromise your network.
If you think about it, what was the last cool application that took off like wild fire? Did you know who was using it? What is the most proliferate application not considered or part of the "approved list"? Can you answer those questions? What if a vulnerability came out for iTunes? Would you know who was using iTunes, and had the latest patch to address the vulnerability? For those that were not patched could you act on them to isolate them from your network?
This is an example of the visibility and control you should have over your end points. Not from that standpoint that you are now the traffic cop and will be able to knock whoever you wish off your network whenever you feel like flexing your muscle, but by giving you the status of your network, you can then provide the education to the users where you see shortcomings and work on getting your environment into compliance. You can better understand your security practce and fill in the gaps for your shortcomings. NAC will allow you to know how effective your antivirus updates are in reaching your endpoints, how many people have not patched with the last MS updates, and of course many other ways to profile your IT infrastructure.
This is where the value lies. Of course after you get everyone into posture, you can then take action if necessary, but only after you truly understand what is going on in your environment.
If you are interested in knowing more about your endpoints, StillSecure has a free version of Safe Access that will test up to 250 users called "Safe Access Lite". It goes in simply and will give you a very quick idea of what your end points really look like. BigFix is another solution that will do this for you, but you will have to contact them for a trial.
I could go on and on regarding NAC, however I think the starting point is to understand what value it has to your environment.
Stay tuned!
Wednesday, February 25, 2009
Subscription vs Perpetual
I just read a brief article in Network World "BigFix hits rivals with 50% price chop". The article tries to take a negative spin on a marketing tactic that BigFix has taken. The author, John Dunn, looks at it from the perspective of BigFix casting the first stone in a potential price war with its competitors in the Patch Management arena.
Well, first off, I must say, BigFix works! I know this first hand. It is by far the best patch management solution available. So the opportunity to move to the BigFix offering is worth looking at. However, I think what John missed in his article is the fine print. BigFix provides it's software on a subscription basis. It makes perfect sense, when you see how the solution is managed and updated. Basically, in a nut shell, without BigFix, the software has no value. The content and updates that your unique environment requires, are fed to you by BigFix. So they are constantly updating and sending out the updates to its customers.
Because of this model, BigFix finds that a "subscription" is the most cost effective method for licensing its software. This is where you pay a yearly or multi-yearly subscription price to use the software. When the subscription expires the license goes away or is renewed. In contrast, most software is "purchased" through a "perpetual" license. In this scenario the software is purchased one time and maintenance is then paid to the vendor for the support and upgrades/updates. For many solutions this makes sense. The license is owned by the customer and can be used theoretically forever (Microsoft Office uses this model). However, for the Patch area it makes no sense because the content has to be continually updated by the vendor.
So you have to look deeper into John's article to see what is really going on at BigFix. BigFix, has a great patch product, no doubt. It also provides many other security solutions on that same platform that do everything from security configuration management to data leak prevention. The installation of the additional functionality is a simple process. The 50% discount doesn't equate though to the perpetual model, because the price is always cheaper in the short run, say one to three years, because the cost is spread out over the life of the contract.
So why not get people, who are having problems with their current patch solutions, to look at them. If you can get a demo with BigFix on patch, you will quickly see the many other benefits that the platform will bring to your environment.
The 50% discount is to get your attention, but it really is not an apples to apples comparison. Do let that stop you from looking, as they say at BigFix, "It Just Works"!
Well, first off, I must say, BigFix works! I know this first hand. It is by far the best patch management solution available. So the opportunity to move to the BigFix offering is worth looking at. However, I think what John missed in his article is the fine print. BigFix provides it's software on a subscription basis. It makes perfect sense, when you see how the solution is managed and updated. Basically, in a nut shell, without BigFix, the software has no value. The content and updates that your unique environment requires, are fed to you by BigFix. So they are constantly updating and sending out the updates to its customers.
Because of this model, BigFix finds that a "subscription" is the most cost effective method for licensing its software. This is where you pay a yearly or multi-yearly subscription price to use the software. When the subscription expires the license goes away or is renewed. In contrast, most software is "purchased" through a "perpetual" license. In this scenario the software is purchased one time and maintenance is then paid to the vendor for the support and upgrades/updates. For many solutions this makes sense. The license is owned by the customer and can be used theoretically forever (Microsoft Office uses this model). However, for the Patch area it makes no sense because the content has to be continually updated by the vendor.
So you have to look deeper into John's article to see what is really going on at BigFix. BigFix, has a great patch product, no doubt. It also provides many other security solutions on that same platform that do everything from security configuration management to data leak prevention. The installation of the additional functionality is a simple process. The 50% discount doesn't equate though to the perpetual model, because the price is always cheaper in the short run, say one to three years, because the cost is spread out over the life of the contract.
So why not get people, who are having problems with their current patch solutions, to look at them. If you can get a demo with BigFix on patch, you will quickly see the many other benefits that the platform will bring to your environment.
The 50% discount is to get your attention, but it really is not an apples to apples comparison. Do let that stop you from looking, as they say at BigFix, "It Just Works"!
Friday, February 20, 2009
Another Delta Story - Have you been Delta'd?
Well, once again I have been DELTA'd. A new verb that can be used when you are completely taken advantage of.
I have been planning, since the beginning of the year, to take a trip with a buddy of mine. We are both on pretty tight budgets, he being married has to have several purposes for the trip before the CEO of the Farquah family, Mrs. Farquah will approve the expense. Bill was going to fly from Birmingham, Alabama and connect in Atlanta and I was coming from West Palm. We were on our way to his brother's in Santa Cruz to play golf for the weekend. So it was a pretty big deal for both of us.
I had a 6:00 AM fight out of West Palm. As a good traveler should, I was there in plenty of time to check my clubs. I boarded the plan and away we departed........... But wait, for some reason, never shared with the passengers we had to stay put for 45 minutes on the runway. The weather was clear in West Palm, so certainly the weather must have been bad in Atlanta.
We finally took off, and knowing the Atlanta airport I knew it would be tight changing planes. As soon as I had landed, I called my friend who happened to be standing at my gate, I told him the situation and that he should go to our connection gate and let them know that we had just landed and that I would be running to the gate as soon as I got off. Oh and wait, the weather is perfect in Atlanta!
So I did just that. I ran, sprinted, from Terminal B to Terminal A, gate B13 to gate A9. When I got there the plane was still at the gate. Well yes of course it was there, we still had 5 minutes until the plane was supposed to leave, so why wouldn't it still be there.
There were no gate agents to be found. I walked past where they take your ticket, to the door that leads to the gang way. I knocked as loud as I could to get the attention of the people I could hear on the other side. I called Bill who was already on the plane. He said that the door was still open on the plane, I could hear him asking the flight attendant's to open the door to the gang way, that I was right outside.
After 5 minutes of banging and no one answering, I told my friend Bill I was going to see what I could do for an alternative flight. I went to the first gate agent I could find. I had heard previously that any gate agent can help you. The gate agent told me to go to the service desk. So much for that piece of advice. God forbid that you might find someone who would be willing to help you. After arriving at the service desk I was told to pick up a phone and call the customer service desk. Really good system, I guess they figure if you have to talk on the phone you can’t get physically violent with them!!
I called the service desk and was told that the only alternative flight was to connect in Dallas, Texas and then again in Salt Lake City, Utah and then go standby from Salt Lake to San Jose!! Well, you should be able to understand my overwhelming disappointment with this, “Plan B”. We had just made a simple flight from West Palm Beach, Florida to Atlanta, Georgia and I missed my connection. Now as an alternative, they were asking me to make two more connections and then fly standby. (I think you know my reaction!) The alternative to this was to fly back to West Palm Beach, where I would be charged for the round trip to Atlanta. And of course the earliest flight was at 1:30 PM. Even though there were two flights back to West Palm before that, she told me that this was the first one with a seat!
At that point I thought the safest pick would be to go back home. I did not want to be stuck in Dallas or Salt Lake City. The agent told me that the first plane that I could get on was at 1:30 PM that afternoon, mind you, it is know 8:30 AM in Atlanta. So what was I going to do for the morning? I decided that I would get some more exercise and walk to my new assigned gate of E8. As I walked over to the new terminal. I noticed that there were several earlier flights. Again I went to the service desk and called the customer service people. She said no problem that there were several seats available. Coincidentally, she was the same agent I had spoke to before. Why didn’t she ask me if I wanted to go home sooner? Why did she tell me that the 1:35 PM was the only flight that I could get a seat on? Anyway, she got me a ticket and to the gate I went.
When I got back to West Palm, I went to the baggage claim area. Of course my bags were not there. I then went to the baggage office for Delta. I told the agent the situation and he handed me a folder and told me to call the number on the front cover after 6:00 PM to find out where my bags were sent. He said that they could tell me when my bags could either be delivered or picked up. I explained that I would prefer to have them delivered.
I called as directed and was told that they did not know for sure; however, every indication was that my bags went onto San Jose. About 10:00 PM Thursday night I received a call from the Baggage Agent is San Jose, she left a message on my phone asking me what I wanted to do? Now you would think that someone would have notated something in the system, like I went back to West Palm Beach!
I called back Friday morning and was told that they thought the bags were in route back, but they could not tell me for sure what time, because of the connections that the bags would have to take. I called back again that evening and asked what time the bags were to be delivered and was told that they would not be delivered because I had not created a file! I did not know that I needed to create a file. I went to the baggage counter as instructed and told the agent the situation, so why didn’t he make a file? Why could not a file be created then? I sure don’t know, but it was definitely my fault according to them! Friday night I went to bed, still know knowing about the fate of my bags.
Saturday morning I woke up and called Delta first thing. I was told that my bags were now back in West Palm, but I had to pick them up! They were not going to be delivered regardless of what I said. Again, I was wrong for not creating a file I did not know about.
So at 7:30 AM Saturday morning off I went to the airport. My friend went with me and suggested that she go in the baggage office while I waited at the car. After sitting there a few minutes a Palm Beach County Deputy, told me to “make a loop!” I tried to explain that my girlfriend was coming out with the bags and he said he did not care: “MAKE A LOOP!”. I went to get back in the drivers seat when I realized that I had given my friend my drivers license. I told the deputy that I had given my license to her and I could not drive without it. Well, that was the wrong thing to say! He wrote me a $30.00 ticket for refusing to move!
What an adventure. I sure hope that this is an indication of what flying has become or the direction it is going. I have done quite a bit of flying over the last year. Several times I have been delayed quite a bit. Once I was stranded in Atlanta over night after missing a connection, but have never been treated this poorly by any airline. I am a Delta Medallion Flyer and it did not matter one bit. I think this experience will definitely cause me to rethink, my airline loyalty!!
I have been planning, since the beginning of the year, to take a trip with a buddy of mine. We are both on pretty tight budgets, he being married has to have several purposes for the trip before the CEO of the Farquah family, Mrs. Farquah will approve the expense. Bill was going to fly from Birmingham, Alabama and connect in Atlanta and I was coming from West Palm. We were on our way to his brother's in Santa Cruz to play golf for the weekend. So it was a pretty big deal for both of us.
I had a 6:00 AM fight out of West Palm. As a good traveler should, I was there in plenty of time to check my clubs. I boarded the plan and away we departed........... But wait, for some reason, never shared with the passengers we had to stay put for 45 minutes on the runway. The weather was clear in West Palm, so certainly the weather must have been bad in Atlanta.
We finally took off, and knowing the Atlanta airport I knew it would be tight changing planes. As soon as I had landed, I called my friend who happened to be standing at my gate, I told him the situation and that he should go to our connection gate and let them know that we had just landed and that I would be running to the gate as soon as I got off. Oh and wait, the weather is perfect in Atlanta!
So I did just that. I ran, sprinted, from Terminal B to Terminal A, gate B13 to gate A9. When I got there the plane was still at the gate. Well yes of course it was there, we still had 5 minutes until the plane was supposed to leave, so why wouldn't it still be there.
There were no gate agents to be found. I walked past where they take your ticket, to the door that leads to the gang way. I knocked as loud as I could to get the attention of the people I could hear on the other side. I called Bill who was already on the plane. He said that the door was still open on the plane, I could hear him asking the flight attendant's to open the door to the gang way, that I was right outside.
After 5 minutes of banging and no one answering, I told my friend Bill I was going to see what I could do for an alternative flight. I went to the first gate agent I could find. I had heard previously that any gate agent can help you. The gate agent told me to go to the service desk. So much for that piece of advice. God forbid that you might find someone who would be willing to help you. After arriving at the service desk I was told to pick up a phone and call the customer service desk. Really good system, I guess they figure if you have to talk on the phone you can’t get physically violent with them!!
I called the service desk and was told that the only alternative flight was to connect in Dallas, Texas and then again in Salt Lake City, Utah and then go standby from Salt Lake to San Jose!! Well, you should be able to understand my overwhelming disappointment with this, “Plan B”. We had just made a simple flight from West Palm Beach, Florida to Atlanta, Georgia and I missed my connection. Now as an alternative, they were asking me to make two more connections and then fly standby. (I think you know my reaction!) The alternative to this was to fly back to West Palm Beach, where I would be charged for the round trip to Atlanta. And of course the earliest flight was at 1:30 PM. Even though there were two flights back to West Palm before that, she told me that this was the first one with a seat!
At that point I thought the safest pick would be to go back home. I did not want to be stuck in Dallas or Salt Lake City. The agent told me that the first plane that I could get on was at 1:30 PM that afternoon, mind you, it is know 8:30 AM in Atlanta. So what was I going to do for the morning? I decided that I would get some more exercise and walk to my new assigned gate of E8. As I walked over to the new terminal. I noticed that there were several earlier flights. Again I went to the service desk and called the customer service people. She said no problem that there were several seats available. Coincidentally, she was the same agent I had spoke to before. Why didn’t she ask me if I wanted to go home sooner? Why did she tell me that the 1:35 PM was the only flight that I could get a seat on? Anyway, she got me a ticket and to the gate I went.
When I got back to West Palm, I went to the baggage claim area. Of course my bags were not there. I then went to the baggage office for Delta. I told the agent the situation and he handed me a folder and told me to call the number on the front cover after 6:00 PM to find out where my bags were sent. He said that they could tell me when my bags could either be delivered or picked up. I explained that I would prefer to have them delivered.
I called as directed and was told that they did not know for sure; however, every indication was that my bags went onto San Jose. About 10:00 PM Thursday night I received a call from the Baggage Agent is San Jose, she left a message on my phone asking me what I wanted to do? Now you would think that someone would have notated something in the system, like I went back to West Palm Beach!
I called back Friday morning and was told that they thought the bags were in route back, but they could not tell me for sure what time, because of the connections that the bags would have to take. I called back again that evening and asked what time the bags were to be delivered and was told that they would not be delivered because I had not created a file! I did not know that I needed to create a file. I went to the baggage counter as instructed and told the agent the situation, so why didn’t he make a file? Why could not a file be created then? I sure don’t know, but it was definitely my fault according to them! Friday night I went to bed, still know knowing about the fate of my bags.
Saturday morning I woke up and called Delta first thing. I was told that my bags were now back in West Palm, but I had to pick them up! They were not going to be delivered regardless of what I said. Again, I was wrong for not creating a file I did not know about.
So at 7:30 AM Saturday morning off I went to the airport. My friend went with me and suggested that she go in the baggage office while I waited at the car. After sitting there a few minutes a Palm Beach County Deputy, told me to “make a loop!” I tried to explain that my girlfriend was coming out with the bags and he said he did not care: “MAKE A LOOP!”. I went to get back in the drivers seat when I realized that I had given my friend my drivers license. I told the deputy that I had given my license to her and I could not drive without it. Well, that was the wrong thing to say! He wrote me a $30.00 ticket for refusing to move!
What an adventure. I sure hope that this is an indication of what flying has become or the direction it is going. I have done quite a bit of flying over the last year. Several times I have been delayed quite a bit. Once I was stranded in Atlanta over night after missing a connection, but have never been treated this poorly by any airline. I am a Delta Medallion Flyer and it did not matter one bit. I think this experience will definitely cause me to rethink, my airline loyalty!!
Thursday, February 19, 2009
The PC Lives……. YES it does!!
I just finished reading an article by Jason Brooks in this week's E-Week Magazine, “The PC Lives”. In the article Jason discusses the present state of the PC, both desktop and laptop. Jason has been on a quest to look at and evaluate Windows alternatives for a desktop operating system. So far he has not found a good alternative; however he has some observations regarding the PC and its future.
Over the past 16 months there has been a big push toward the cloud. Applications for the end user and consumer on the Web are popping up left and right. Google has it’s set of apps that have in many cases replaced the office suites that required you to take out that second mortgage to purchase. We thought it was predatory lending that put the economic situation in this shape, I have a theory, Mr Gates!.
Many people have purchased systems over the last few years to just have access to the web and email. So naturally hardware manufacturers have jumped on the band wagon to respond to this expanding market segment. Components on the systems have optimized to make the laptops and more appealing to travelers who are only using web applications.
But what is really going on here? Hard core business applications are not needed on personal systems anymore. Many people initially went out and purchased their first machine with the idea that they could now take work home. They wanted to have the same applications on those systems to make editing and format compatible. Now that many business applications are hosted, there is not a need for the high power machines as in the past. Unless you are a gamer, or doing a specific high power consuming process you don’t need the juice that was required of the past.
Web applications do not require you to have the horsepower. If you have a lot of bandwidth and RAM, and of course a mal-ware clean machine, chances are your are working just fine.
Does the PC live? Of course! But not in the same form it was 12 months ago and certainly not the way it was 36 months ago. Evolution is happening. Ten years ago while I was with Gateway Computer, we could see the future, a PC in every home. Now they are shooting for one in every pocket.
The natural evolution (can you say that about computers?) of computers is taking place. There might be a few applications out there that require high end specifications, and there could always be a new one to show up, but for the rest of the world,what’s happening is working quite well thank you!!
Happy Trails!
Jack
Over the past 16 months there has been a big push toward the cloud. Applications for the end user and consumer on the Web are popping up left and right. Google has it’s set of apps that have in many cases replaced the office suites that required you to take out that second mortgage to purchase. We thought it was predatory lending that put the economic situation in this shape, I have a theory, Mr Gates!.
Many people have purchased systems over the last few years to just have access to the web and email. So naturally hardware manufacturers have jumped on the band wagon to respond to this expanding market segment. Components on the systems have optimized to make the laptops and more appealing to travelers who are only using web applications.
But what is really going on here? Hard core business applications are not needed on personal systems anymore. Many people initially went out and purchased their first machine with the idea that they could now take work home. They wanted to have the same applications on those systems to make editing and format compatible. Now that many business applications are hosted, there is not a need for the high power machines as in the past. Unless you are a gamer, or doing a specific high power consuming process you don’t need the juice that was required of the past.
Web applications do not require you to have the horsepower. If you have a lot of bandwidth and RAM, and of course a mal-ware clean machine, chances are your are working just fine.
Does the PC live? Of course! But not in the same form it was 12 months ago and certainly not the way it was 36 months ago. Evolution is happening. Ten years ago while I was with Gateway Computer, we could see the future, a PC in every home. Now they are shooting for one in every pocket.
The natural evolution (can you say that about computers?) of computers is taking place. There might be a few applications out there that require high end specifications, and there could always be a new one to show up, but for the rest of the world,what’s happening is working quite well thank you!!
Happy Trails!
Jack
Wednesday, February 18, 2009
Off to California
Just wanted to say hey, I am off to see some crazy friends. Three days in Santa Cruz! I hope I can turn the throttle back.
Adios!
Jack
Adios!
Jack
Identity and Access Management - Where Is It?
Several years ago while I was working as an Account Manager at CA, there was an incredible interest stirring in Identity and Access Management (IAM) systems to satisfy regulatory compliance, streamline the provisioning and de-provisioning of software, simplify the end-users password experience and, to allow the end user to automate the whole password reset process if the user was locked out of a private network.
It was amazing to me how complex all of these systems are as stand alone solutions, however the greatest value and return on investment comes when all the systems were working together in unison. Can you imagine the amount planning and system modifications that have to be made to reach that level of integration? Usually there would be an immediate need for one piece of the system over another, say password reset over password synchronization, but generally there was the goal of one day implementing the whole solution.
It is obvious to me the benefits of IAM systems, and I thought surely this would be the next frontier of opportunity in the security sector. However, what has surprised me, is how the technology has not advanced much to ease the complexities of implementation to where the benefits far outweigh the cost of implementation making adoption an easy decision.
It still amazes me when I hear about friends going back to work and companies, that they had previously left, and all their ID's and application access was still there! (just like they never left). Pretty scary!
The other big area with IAM systems that really has never been addressed in a good way, is password synchronization. How many systems do we have to remember passwords for on a daily basis. As end users, are we using the same password for each system we try to access, so if one were to be stolen, the thief might have access to all systems that user had access to? This is a great security vulnerability. And what about our home systems? Think of all the applications and web access portals we use every day, and do not have any secure way to safeguard those passwords and to randomly, periodically mix them up so that if you were ever to get your ID stolen you could quickly go to one place and turn them all off.
I still think there is a great deal of improvement needed with the technology before you will see a overwhelming adoption of Identity and Access Management Systems. I do not think one vendor has taken a clear lead and has put this technology on the map to make it a must have solution set. The market is wide open and if you consider what could be done on the consumer level the opportunities abound. Take it one step further, and look at what tight integration with Network Access Control (NAC) systems could do for you.
The possibilities are endless. There are companies like StillSecure that have the vision, and are trying to get there as quickly as possible. One day it will be here, and the supplier of the technology, will be able to write their own ticket!
Have a great one!!!
Jack
It was amazing to me how complex all of these systems are as stand alone solutions, however the greatest value and return on investment comes when all the systems were working together in unison. Can you imagine the amount planning and system modifications that have to be made to reach that level of integration? Usually there would be an immediate need for one piece of the system over another, say password reset over password synchronization, but generally there was the goal of one day implementing the whole solution.
It is obvious to me the benefits of IAM systems, and I thought surely this would be the next frontier of opportunity in the security sector. However, what has surprised me, is how the technology has not advanced much to ease the complexities of implementation to where the benefits far outweigh the cost of implementation making adoption an easy decision.
It still amazes me when I hear about friends going back to work and companies, that they had previously left, and all their ID's and application access was still there! (just like they never left). Pretty scary!
The other big area with IAM systems that really has never been addressed in a good way, is password synchronization. How many systems do we have to remember passwords for on a daily basis. As end users, are we using the same password for each system we try to access, so if one were to be stolen, the thief might have access to all systems that user had access to? This is a great security vulnerability. And what about our home systems? Think of all the applications and web access portals we use every day, and do not have any secure way to safeguard those passwords and to randomly, periodically mix them up so that if you were ever to get your ID stolen you could quickly go to one place and turn them all off.
I still think there is a great deal of improvement needed with the technology before you will see a overwhelming adoption of Identity and Access Management Systems. I do not think one vendor has taken a clear lead and has put this technology on the map to make it a must have solution set. The market is wide open and if you consider what could be done on the consumer level the opportunities abound. Take it one step further, and look at what tight integration with Network Access Control (NAC) systems could do for you.
The possibilities are endless. There are companies like StillSecure that have the vision, and are trying to get there as quickly as possible. One day it will be here, and the supplier of the technology, will be able to write their own ticket!
Have a great one!!!
Jack
Tuesday, February 17, 2009
Prox Cards for Personal Use
I was looking through the security web sites that I read this morning and saw an interesting article in Information Week from February 8, 2009. In the article "Startup May Just Digitize you Wallet", George Hulm discusses using newly developed technology by Proxense a Bend Or. company.
I have thought about this type of technology for years, and from the gist of the article it seems that others have as well. I for one, am so tired of carrying a wallet full of store reward cards to get the best price on a product at one of my favorite retailers. I do not know who came up with this system but, I can think of a few things I would like to do to the inventor of this idea!
I think they are responsible for all the back problems I now suffer from carrying them around in my back pocket and causing me to sit leaning to my left side. And when I travel, I try to cull out the ones I don't use to lighten my load, and inevitable I need one I don't have. Not a very good system.
The questions that come to my mind though, are how will the information be secured? Can the data be intercepted? What about the data store, how will it be secured? Is the system maintained by you or a third party or the retailer? If we could control what gets added and removed by updating a form on a secure web-page I think I might really look forward to this type of technology.
In addition to the obvious benefits, George speaks about the countless other applications as well as using it to store vital health information. Now we are getting somewhere.
The idea of this technology and innovation gets me excited because it places that technology in the hands of everyone. There are countless technological advancements created everyday; however, most people never realize it because it is behind the scenes. That is what was so much fun about working in IT in the '80's. Every day you would see a new product that would change the way you do things: mice, printers, graphical interfaces, mass storage devices, the internet.........
I know that this is a very rough time for everyone. But maybe it is what our country needed to stimulate innovative thinking and motivate people to implement those great ideas that they have been holding in for so long.
Oh, and remember what Oscar Wilde said,"Only dull people are brilliant at breakfast".
Jack
I have thought about this type of technology for years, and from the gist of the article it seems that others have as well. I for one, am so tired of carrying a wallet full of store reward cards to get the best price on a product at one of my favorite retailers. I do not know who came up with this system but, I can think of a few things I would like to do to the inventor of this idea!
I think they are responsible for all the back problems I now suffer from carrying them around in my back pocket and causing me to sit leaning to my left side. And when I travel, I try to cull out the ones I don't use to lighten my load, and inevitable I need one I don't have. Not a very good system.
The questions that come to my mind though, are how will the information be secured? Can the data be intercepted? What about the data store, how will it be secured? Is the system maintained by you or a third party or the retailer? If we could control what gets added and removed by updating a form on a secure web-page I think I might really look forward to this type of technology.
In addition to the obvious benefits, George speaks about the countless other applications as well as using it to store vital health information. Now we are getting somewhere.
The idea of this technology and innovation gets me excited because it places that technology in the hands of everyone. There are countless technological advancements created everyday; however, most people never realize it because it is behind the scenes. That is what was so much fun about working in IT in the '80's. Every day you would see a new product that would change the way you do things: mice, printers, graphical interfaces, mass storage devices, the internet.........
I know that this is a very rough time for everyone. But maybe it is what our country needed to stimulate innovative thinking and motivate people to implement those great ideas that they have been holding in for so long.
Oh, and remember what Oscar Wilde said,"Only dull people are brilliant at breakfast".
Jack
Monday, February 16, 2009
Managed Services The New Frontier........ WHAT?
I woke up this morning thinking about the business model that I am going to shape Secure Technology Partners, Inc. into. The thing that kept sticking in my mind was what Steve Harris, former CEO of Protect Point, which was recently purchased by StillSecure, said to me last week. “It is time for a paradigm shift” on how businesses purchase and implement IT solutions. He said, and I strongly agree, "it is the natural evolution of application delivery".
Of course Steve's company has been offering Managed Security Services for sometime so he has, I am sure, heard many of the objections to this delivery model. However, I think it is now time to really pay attention to this and to consider this type of model for many of your IT Systems.
I think the immediate driver to this type of model is economics (what better timing could you ask for!). If you look at the sheer cost of maintaining a typical IDS/IPS environment, you could most likely justify this this type of application delivery. You have the people that are responsible for the system, the maintenance on the system both hardware and software. You have the soft costs associated with failures and system glitches, and of course the mother load of all costs, a system is compromised.
I have been in many enterprise environments, where there were resources available to do the work in-house, and I have seen, without much trouble, many holes that could be breached in those systems. Primarily, this is due to the fact that the people running those systems are not the experts and that they are often taken off those systems to address higher priority tasks . I don't mean that in an offensive way, however how can they be the expert with all the hats that one has to wear today?
Many administrators have been trained on the systems they are charged to manage. Some have even been pioneers in the adoption of the technology and have worked with it since its inception. However, the disconnect comes from the fact that no system is static. It is forever changing and each change effects other systems and so on down the line. Vendors are constantly changing their applications and upgrading and patching on a daily basis. It is not until a system breaks that you might realize there was a change made.
There is no way humanly possible that, regardless of training, or amount of time spent on the system that administrators can be the expert over and above the vendor providing the solution. The gap comes from your system to theirs. But what if, where ever possible, you were to outsource those critical systems and offload the operational cost to a provider that would be your expert?
Immediately, you should see better service levels, the cost for the system operation should go down, and you now have experts that are trained and have access to resources so that if there is a failure, it is not going to be on your end, taking your resources to figure out their problem.
But is this enough to make the switch? Just consider this. Bob Evans, senior VP and director of InformationWeek's Global CIO unit, wrote "An Open Letter To Oracle CEO Larry Ellison", in the February 2nd, 2009 edition. In it he states some very interesting information regarding Oracles firm stance on charging a FLAT 22% for maintenance to everyone. As consumers who need the technology, you are forced to pay maintenance fees for service that you might never use. In addition, Oracles' President Charles Phillips pointed out, in an InformationWeek interview, that the fee's "fund product development and allow Oracle to create next generation product". Is that what we are paying for? I thought that was figured into the initial cost of the purchase.
Hopefully, you can see my point. The added costs with maintaining an in-house system do not provide you with a higher level of service or any additional benefits, from one that can be truly delivered in a SaaS or Service Provider scenario.
Whether you are looking at backup and recovery, security systems or many other IT systems, many can be supplied as a service. Pay one fee and get the service you require without the overhead expenses, infrastructure cost or liability.
Sounds good to me! I want to deliver what clients want and more importantly need, and to make sure that they are profitable, or at least, not be the cause of their failure, so that I can continue my partnership with them into the future. You can buy the best software & hardware money can buy, however, if it is not implemented and managed correctly it’s not going to work and usually the cost to make it work are far more then you budgeted for. The last thing Steve Harris said to me, and I can relate, “Just because you use Tiger Woods driver, doesn’t mean you will play golf like him”!
Until next time:, Hit em straight!!
Regards,
Jack
Of course Steve's company has been offering Managed Security Services for sometime so he has, I am sure, heard many of the objections to this delivery model. However, I think it is now time to really pay attention to this and to consider this type of model for many of your IT Systems.
I think the immediate driver to this type of model is economics (what better timing could you ask for!). If you look at the sheer cost of maintaining a typical IDS/IPS environment, you could most likely justify this this type of application delivery. You have the people that are responsible for the system, the maintenance on the system both hardware and software. You have the soft costs associated with failures and system glitches, and of course the mother load of all costs, a system is compromised.
I have been in many enterprise environments, where there were resources available to do the work in-house, and I have seen, without much trouble, many holes that could be breached in those systems. Primarily, this is due to the fact that the people running those systems are not the experts and that they are often taken off those systems to address higher priority tasks . I don't mean that in an offensive way, however how can they be the expert with all the hats that one has to wear today?
Many administrators have been trained on the systems they are charged to manage. Some have even been pioneers in the adoption of the technology and have worked with it since its inception. However, the disconnect comes from the fact that no system is static. It is forever changing and each change effects other systems and so on down the line. Vendors are constantly changing their applications and upgrading and patching on a daily basis. It is not until a system breaks that you might realize there was a change made.
There is no way humanly possible that, regardless of training, or amount of time spent on the system that administrators can be the expert over and above the vendor providing the solution. The gap comes from your system to theirs. But what if, where ever possible, you were to outsource those critical systems and offload the operational cost to a provider that would be your expert?
Immediately, you should see better service levels, the cost for the system operation should go down, and you now have experts that are trained and have access to resources so that if there is a failure, it is not going to be on your end, taking your resources to figure out their problem.
But is this enough to make the switch? Just consider this. Bob Evans, senior VP and director of InformationWeek's Global CIO unit, wrote "An Open Letter To Oracle CEO Larry Ellison", in the February 2nd, 2009 edition. In it he states some very interesting information regarding Oracles firm stance on charging a FLAT 22% for maintenance to everyone. As consumers who need the technology, you are forced to pay maintenance fees for service that you might never use. In addition, Oracles' President Charles Phillips pointed out, in an InformationWeek interview, that the fee's "fund product development and allow Oracle to create next generation product". Is that what we are paying for? I thought that was figured into the initial cost of the purchase.
Hopefully, you can see my point. The added costs with maintaining an in-house system do not provide you with a higher level of service or any additional benefits, from one that can be truly delivered in a SaaS or Service Provider scenario.
Whether you are looking at backup and recovery, security systems or many other IT systems, many can be supplied as a service. Pay one fee and get the service you require without the overhead expenses, infrastructure cost or liability.
Sounds good to me! I want to deliver what clients want and more importantly need, and to make sure that they are profitable, or at least, not be the cause of their failure, so that I can continue my partnership with them into the future. You can buy the best software & hardware money can buy, however, if it is not implemented and managed correctly it’s not going to work and usually the cost to make it work are far more then you budgeted for. The last thing Steve Harris said to me, and I can relate, “Just because you use Tiger Woods driver, doesn’t mean you will play golf like him”!
Until next time:, Hit em straight!!
Regards,
Jack
Sunday, February 15, 2009
Does IT Security Need A Governing Body - NOT!
In the February 2009 SC Magazine, Richard Starnes, the President of the Bluegrass Chapter of ISSA, tries to make the point that there should be a governing body for IT Security ("Security needs a governing body"), such as the American Medical Association or the American Bar Association. To this I say - BS! The last thing that the IT or any industry needs today is another FAT, self serving governing body.
One of the great things about America, and Americans is that, deep down there is still a ray of hope for success through hard work and perseverance. This system allows the ones that perform well to rise to the top and those that cannot deliver to go away. Yes, I guess anyone can say that they can provide the service or solution and then not deliver, but I think we all would agree that those people do not last very long. Bad service and false commitments happens in governed professions as well, I have a lot of first hand experience there!
The IT business has had monumental growth since the early 1980's because of the innovation and creativity of the many contributors in the industry. To say that you will now have to do things a certain way and to have the certifications, (what a profit center!) in order to complete the work is ridiculous. Much of the best work and most technology advancing innovations have come from kids! I have worked with many young adults, and put in the right environment without certifications, without specific education, and without access to a common body of knowledge they were professional. And, we all know who really works in those governing bodies - the people who could not cut it on the outside!
I suspect that Richard has ties to government/bureaucracy or has been burned by a vendor for not doing his due diligence or paying attention to the wrong reasons for purchasing. Does that mean that the system does not work? If you buy something and it does not meet your expectations you either get satisfaction from the vendor to make it right or you never do business with them again.
Richard tries to point out that because there are other bureaucratic organizations that require education, certifications, and specialized knowledge before you can work in the field that you should consider this same structure for IT security, because in many cases we are already doing it. But what does that really mean?
It would mean that, many young people would be prohibited from entering the industry because of the cost for "required" education. It would mean that vendors would have to charge more because they adhere to the governing bodies rules and regulations, which are mostly self serving. However, most importantly, is that the cost for service would go up astronomically to the end users (just as medical and legal services have), at a time when we cannot put up any more roadblocks to organizations implementing systems to protect their data, their investors data, and their customers personal information. And really does the AMA, and the American Bar Association protect the end user or are they governing bodies that make the access to goods and services prohibitive for certain people and make it difficult to seek recourse for bad work. Should there be Mal-Practice insurance available for the IT Security industry too?
Although, at the initial thought, it may appear like a good idea, more bureaucracy only adds cost, slows down innovation and prohibits new comers from entering the field. Richard closes by asking the question, "Are we a profession?" I am not sure what Richard does each day, but for the last 29 years I have been in this industry it has never entered my mind. I have always know I am a "Professional".
One of the great things about America, and Americans is that, deep down there is still a ray of hope for success through hard work and perseverance. This system allows the ones that perform well to rise to the top and those that cannot deliver to go away. Yes, I guess anyone can say that they can provide the service or solution and then not deliver, but I think we all would agree that those people do not last very long. Bad service and false commitments happens in governed professions as well, I have a lot of first hand experience there!
The IT business has had monumental growth since the early 1980's because of the innovation and creativity of the many contributors in the industry. To say that you will now have to do things a certain way and to have the certifications, (what a profit center!) in order to complete the work is ridiculous. Much of the best work and most technology advancing innovations have come from kids! I have worked with many young adults, and put in the right environment without certifications, without specific education, and without access to a common body of knowledge they were professional. And, we all know who really works in those governing bodies - the people who could not cut it on the outside!
I suspect that Richard has ties to government/bureaucracy or has been burned by a vendor for not doing his due diligence or paying attention to the wrong reasons for purchasing. Does that mean that the system does not work? If you buy something and it does not meet your expectations you either get satisfaction from the vendor to make it right or you never do business with them again.
Richard tries to point out that because there are other bureaucratic organizations that require education, certifications, and specialized knowledge before you can work in the field that you should consider this same structure for IT security, because in many cases we are already doing it. But what does that really mean?
It would mean that, many young people would be prohibited from entering the industry because of the cost for "required" education. It would mean that vendors would have to charge more because they adhere to the governing bodies rules and regulations, which are mostly self serving. However, most importantly, is that the cost for service would go up astronomically to the end users (just as medical and legal services have), at a time when we cannot put up any more roadblocks to organizations implementing systems to protect their data, their investors data, and their customers personal information. And really does the AMA, and the American Bar Association protect the end user or are they governing bodies that make the access to goods and services prohibitive for certain people and make it difficult to seek recourse for bad work. Should there be Mal-Practice insurance available for the IT Security industry too?
Although, at the initial thought, it may appear like a good idea, more bureaucracy only adds cost, slows down innovation and prohibits new comers from entering the field. Richard closes by asking the question, "Are we a profession?" I am not sure what Richard does each day, but for the last 29 years I have been in this industry it has never entered my mind. I have always know I am a "Professional".
Saturday, February 14, 2009
The Joys of Starting a Business
My technical skills have been humbled the last few days trying to get my web-site going and to send and retrieve email through my new corporate email system.
My friend and web designer, Carey Landon, in Birmingham, AL has been very gracious and I must say, patient, with me trying to get this going. It seems that the problem was on my end....isn't it always!
I jumped away from Windows a year ago to the Mac and, although I consider myself pretty competent with the Mac since it was first released in 1984 I could not figure it out. I felt I had the skills to fix this; however I could not find the switch that was preventing me from receiving or sending corporate email.
Low and behold, in typical "technical support" fashion it started to work, mind you, on its own! After three days of inputting the same info into the same fields over and over again I can now send and receive email.
I was never able to get "Mac Mail" to work at all, but I was able to download Thunderbird by Mozilla, and after several frustrating hours this morning ( I guess it is a secret Apple initiation) it began to work. I inputted the SAME info over and over again, in the SAME fields (same syntax) and and low and behold the messages began coming in. Just to be sure, I had to, with fingers crossed, forward one to my gmail account. I must have worn down the system or whichever computer god responsible for this prank felt pity on me, and it now works beautiful.
Technology has made great strides forward since I started in IT 1984, but still some things are still complex and very difficult to setup without access to any resources.
I must acknowledge and say Thanks to everyone who spends hours on the phone trying to help other less knowledgeable users get their projects completed.
Hopefully, that will be the last speed bump for today.
Happy Valentines to everyone!
Jack
My friend and web designer, Carey Landon, in Birmingham, AL has been very gracious and I must say, patient, with me trying to get this going. It seems that the problem was on my end....isn't it always!
I jumped away from Windows a year ago to the Mac and, although I consider myself pretty competent with the Mac since it was first released in 1984 I could not figure it out. I felt I had the skills to fix this; however I could not find the switch that was preventing me from receiving or sending corporate email.
Low and behold, in typical "technical support" fashion it started to work, mind you, on its own! After three days of inputting the same info into the same fields over and over again I can now send and receive email.
I was never able to get "Mac Mail" to work at all, but I was able to download Thunderbird by Mozilla, and after several frustrating hours this morning ( I guess it is a secret Apple initiation) it began to work. I inputted the SAME info over and over again, in the SAME fields (same syntax) and and low and behold the messages began coming in. Just to be sure, I had to, with fingers crossed, forward one to my gmail account. I must have worn down the system or whichever computer god responsible for this prank felt pity on me, and it now works beautiful.
Technology has made great strides forward since I started in IT 1984, but still some things are still complex and very difficult to setup without access to any resources.
I must acknowledge and say Thanks to everyone who spends hours on the phone trying to help other less knowledgeable users get their projects completed.
Hopefully, that will be the last speed bump for today.
Happy Valentines to everyone!
Jack
Friday, February 13, 2009
Day 2
As the reality of my new venture sets in, I woke up this morning with a million things on my mind and the urgency to get them all done at the same time. The problem with that is, each of these critical tasks are creating more and more tasks. Yikes!
I am not overwhelmed yet, I am really looking forward to the future with less apprehension of this path I am taking. The fire in me is beginning to get hotter, and the reality of ....... I CAN DO IT! I know how to do it! I have done it for others! So why not? is setting in. I look forward to the Windmills I will battle and the joys of not having to forecast for anyone but ME!!!!
If anyone might have any suggestions or advice you can give me for my new steps forward: my new Blog: Secure or Not Secure, my new web-site: www.securetechfl.com or for Secure Technology Partners, please, please let me know.
In the mean time, I guess I will just try to tackle one task at a time....... yea right, I think maybe two, three or four tasks at a time might be more realistic.
Until I try this again...... May you always ride with the wind at your back!!!!
Jack
I am not overwhelmed yet, I am really looking forward to the future with less apprehension of this path I am taking. The fire in me is beginning to get hotter, and the reality of ....... I CAN DO IT! I know how to do it! I have done it for others! So why not? is setting in. I look forward to the Windmills I will battle and the joys of not having to forecast for anyone but ME!!!!
If anyone might have any suggestions or advice you can give me for my new steps forward: my new Blog: Secure or Not Secure, my new web-site: www.securetechfl.com or for Secure Technology Partners, please, please let me know.
In the mean time, I guess I will just try to tackle one task at a time....... yea right, I think maybe two, three or four tasks at a time might be more realistic.
Until I try this again...... May you always ride with the wind at your back!!!!
Jack
Thursday, February 12, 2009
Volume 1 Edition 1
Well isn't that how it goes..... The evolution of communication. I finally bit the bullet and decided it was time to do my own thing and tell the world about it.
As some of you may know me, I have been in the IT biz for over twenty years, I have always been successful working for IT vendors on both the hardware and software side. Times have changed and it is now time for a paradigm shift for me to make ends meet.
That being said, I have just started a new company: Secure Technology Partners. I hope to be able to provide the best technology and services available for the sector I am in. For many years I have done this for the companies that I have worked for. Now it is time to do it for me.
I have worked with many, many talented people over my career and some are fortunate to be working in these trying times; however the ones that aren't working, I hope to corral and kick off the most bad ass technology gig yet.
I hope that I can get this off the ground and continue to be successful. Thank you Alan! , for your support, this is an option that I was reluctant to take; however, it's time to grow up! And Thank you Carey Landon for taking me to the World Wide Web......... your awesome!!!!!!!!
Until I write again Ciao,
Jack
As some of you may know me, I have been in the IT biz for over twenty years, I have always been successful working for IT vendors on both the hardware and software side. Times have changed and it is now time for a paradigm shift for me to make ends meet.
That being said, I have just started a new company: Secure Technology Partners. I hope to be able to provide the best technology and services available for the sector I am in. For many years I have done this for the companies that I have worked for. Now it is time to do it for me.
I have worked with many, many talented people over my career and some are fortunate to be working in these trying times; however the ones that aren't working, I hope to corral and kick off the most bad ass technology gig yet.
I hope that I can get this off the ground and continue to be successful. Thank you Alan! , for your support, this is an option that I was reluctant to take; however, it's time to grow up! And Thank you Carey Landon for taking me to the World Wide Web......... your awesome!!!!!!!!
Until I write again Ciao,
Jack
Subscribe to:
Posts (Atom)
